Have you applied Julian Anastasov's kernel patches? If not, I
don't think these rules are enough. Another method to assure that
interface is not changed during connection is using CONNMARK in
iptables.